An Effective Measurement of Data Security in a Cloud Computing
Environment
A.A. Elusoji Computer Technology Department Yaba College of Technology, Yaba
Lagos State, Nigeria [email protected]
L.N. Onyejegbu Computer Science Department University of Port-Harcourt, Rivers –State
[email protected] O.S. Ayodele Computer Science Department Kogi State Polytechnic Lokoja [email protected]
ABSTRACT
The increasingly sophisticated network infrastructure and increased bandwidth developed in recent years has dramatically enhanced the stability of various application services available to users through the Internet, thus marking the beginning of cloud computing network services. The security for Cloud Computing is emerging field because of its performance, high availability, and least cost and since there is a critical need to securely store, manage, share and analyze massive amounts of complex web applications, it is important that clouds be secure. Service providers must have a viable way to protect their clients’ data, especially to prevent the data from disclosure by unauthorized insiders. This paper has been written to focus on the problem of data security. It describes the approach to securing cloud computing based on analysis of Cloud Security treats and Technical Components of Cloud Computing.
Keywords: Cloud Computing, Security threats, Service provider Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS)
African Journal of Computing & ICT Reference Format:
A.A. Elusoji, L.N. Onyejegbu & O.S. Ayodele (2013). An Effective Measurement of Data Security in a Cloud Computing Environment. Afr J. of Comp & ICTs. Vol 6, No. 2. pp 67-76
1. INTRODUCTION
There are numerous security issues for cloud computing as it encompasses many technologies including networks, databases, operating systems, virtualization, resource scheduling, transaction management, load balancing, concurrency control and memory management. Therefore, security issues for many of these systems and technologies are applicable to cloud computing. For example, the network that interconnects the systems in a cloud has to be secure. Furthermore, virtualization paradigm in cloud computing results in several security concerns. For example, mapping the virtual machines to the physical machines has to be carried out securely. Data security involves encrypting the data as well as ensuring that appropriate policies are enforced for data sharing. In addition, resource allocation and memory management algorithms have to be secure.
Each type of cloud computing model—public, private or hybrid—faces different levels of IT risk. In the private cloud delivery model, the cloud owner does not share resources with any other company. Private clouds are owned and operated by a single organization, delivering IT services within the constraints of their own network perimeter. In the public cloud computing model, IT activities and functions are provided as a service that can be billed on a pay-per-use or subscription basis via the Internet from external suppliers, using resources not owned by the consumer. The sharing of IT resources in a public, multitenant environment can help improve utilization rates and can reduce costs significantly, while maintaining access to high quality technology. In a public cloud, an organization rents IT resources instead of having to invest in their own physical IT infrastructure or maintain under-utilized equipment to service peak loads.
Instead, they can scale usage up or down, according to need, with costs directly proportional to need. Many organizations embrace both public and private cloud computing by integrating the two models into hybrid clouds.
2. OVERVIEW OF CLOUD COMPUTING
Cloud computing services such as Amazon EC2 and Windows Azure are becoming More and more popular but it seems many people are still unclear as to what exactly the buzzword “Cloud computing” actually means. In its simplest form, the principle of Cloud computing is the provision of computing resources via a network. It shifts the responsibility of configuring, deploying and maintaining computing infrastructure from clients to Cloud providers. Providers generally expose an interface for clients to interact with their resources as if they were their own standalone resource; however often a number of resources may be aggregated on the same computer or cluster of computers. The user does not necessarily know the details of the location, equipment or configuration of their resources, rather they are provided with a “virtualised” computer resource hosted in “the Cloud”.
There are distinctions among the most common cloud service models as shown in Figure 1. Available to anyone with Internet access, cloud service models include:- Software as a service (SaaS) cloud model
SaaS clients rent usage of applications running within the Cloud‟s provider infrastructure. It Enables software to be delivered from a host source over a network as opposed to installations or implementations
Platform as a Service (PaaS) cloud model
PaaS Cloud providers offer an application platform as a service, for example Google App Engine. This enables clients to deploy custom software using the tools and programming languages offered by the provider. Clients have control over the deployed applications and environment-related setting. It Enables operating systems and middleware services to be delivered from a managed source over a network.
Infrastructure as a Service (IaaS) cloud model
IaaS delivers hardware resources such as CPU, disk space or network components as a service. These resources are usually delivered as a virtualization platform by the Cloud provider and can be accessed across the Internet by the client. It Enables the entire infrastructure to be delivered as a service over a network, including storage, routers, virtual systems, hardware and servers
3. TECHNICAL COMPONENTS OF CLOUD COMPUTING
As shown in the Figure 2, key functions of a cloud management system is divided into four layers, respectively the Resources & Network Layer, Services Layer, Access Layer, and User Layer. Each layer includes a set of functions:
• The Resources & Network Layer manages the physical and virtual resources.
• The Services Layer includes the main categories of cloud services, namely, NaaS, IaaS, PaaS, SaaS/CaaS, the service orchestration function and the cloud operational function.
• The Access Layer includes API termination function, and Inter-Cloud peering and federation function. • The User Layer includes End-user function, Partner function and Administration function.
Figure 2. The cloud computing components
Other functions like Management, Security & Privacy, etc. are considered as cross layer functions that covers all the layers. The main principle of this architecture is that all these layers are supposed to be optional. This means that a cloud provider who wants to use the reference architecture may select and implement only a subset of these layers. However, from the security perspective, the principal of separation requires each layer to take charge of certain responsibilities. In event the security controls of one layer are by passed (e.g. access layer), other security functions could compensate and thus should be implemented either in other layers or as cross-layer functions.
4. SECURING DATA IN THE CLOUDS
A common approach to protect user data is that user data is encrypted before it is stored. In a cloud computing environment, a user’s data can also be stored following additional encryption, but if the storage and encryption of a given user’s data is performed by the same service provider, the service provider’s internal staff (e.g., system administrators and authorized staff) can use their decryption keys and internal access privileges to access user data. From the user’s perspective, this could put his stored data at risk of unauthorized disclosure. In which if a user (either employee or anonymous) want to access the data if it belongs to protection then user have to register itself (if he is already registered need not require further registration.
Now suppose the user registered itself for accessing data, Organization will provide username and password for authentication. At the same time organization sends the username to cloud provider.
1. Request for access data
2. Send the signal to redirect person 3. Redirects
Now when user sends request along with username to access the data to cloud provider, the cloud provider first check in which ring requested data belong. If authentication is required, it first checks the username in its own directory for existence, if the username does not exist it ask the user to register itself.
If the username matches it redirect the request to company for authentication.
(1) Send password for authentication (2) Redirect to access resource (3) Request redirected
Now the user sends password for authentication, and after authentication it redirect the request to cloud provider to access resource .If user-name and password doesn’t match then user is not allow to access their account. And also in some case if hacker wants to hack the account of a particular user then in that case hacker gets only the fake database of the account is there to access the account by hitting the user-name and password, if limit become cross then hacker get’s the fake database.
Figure 3: Authentication cycle
5. THREATS TO SECURITY IN THE CLOUD There are several significant threats that should be considered before adopting the paradigm of cloud computing in e-learning. These threats are described as follows:-
1) Abuse and Nefarious use of cloud: Cloud services providers often targeted for their weak registration system and limited fraud detection capabilities. This paves way to the spammers, malicious code authors and other cybercriminals can misuse the various types of services including unlimited bandwidth and storage facilities offered by the cloud providers. Misuse includes creating spam, decoding and cracking of passwords, executing malicious codes to access rich information such as question papers, learning materials, assessments etc.
2) Insecure Software Access: Various software interfaces and APIs are used by the cloud users in e-learning to access and manage the cloud services. These APIs play an integral part during provisioning, management, orchestration and monitoring of the processes running in a cloud environment. Hence these APIs needs to be secured and should include features of authentication, access control, encryption and activity monitoring. Many security issues will be raised if cloud service providers believe on weak set of APIs.
3) Malicious Insider: Malicious employees who are working in the provider‟s or user site can be able to perform insider attacks. This insider can steal the confidential data of cloud users in e-learning. Malicious insider can easily get the cloud users confidential data such as password, cryptographic keys and files. It will affect the standards and trust of cloud users in e-learning. As a result, it can cause damage on both financial grounds as well as organisation reputation
4) Data Separation: Virtual Machine (VMs) are virtualized based on the physical hardware of cloud providers and stores the e-learning user‟s applications supplied by the cloud providers due to the cloud virtualization. These VMs are isolated from each other by cloud providers in order to maintain the security of users. These VMs are managed by hypervisor who are the main source of managing the virtualized cloud platform so as to provide virtual memory as well as CPU scheduling policies to VMs. Hypervisors are mainly targeted by the hackers since they are residing between VMs and hardware. Strong isolation is needed to ensure that VMs are not able to access the activities of other VMs under the same cloud computing providers. Even though several vendors offers strong security mechanism to protect the cloud supervisors, however sometimes security of VMs is compromised
5) Data Loss or Leakage: Operational failures, unreliable data storage and inconsistent use of encryption keys will lead to a data loss. Operational failure includes deletion, incomplete deletion or alteration without any backup of the source e-learning content. It may be either intentionally or unintentionally. Unreliable data storage means storing a data on unreliable media which cannot be
recoverable if the data is lost. Inconsistent use of encryption keys will lead to unauthorized access and data loss such as destruction of sensitive and confidential information. It will definitely affect the reputation of the company.
6) Hijacking: Controlling the users account through the unauthorised access by the hackers is referred as account or service hijacking. It includes phishing, fraud and exploitation of software vulnerabilities.It is not enough to secure the sensitive and confidential information through the common way of authentication and authorization process e-learning.
7) Unknown Risk: It is essential for the every e-learning user to know the software versions, security practices, software code updates and intrusion attempts. Cloud service providers usually advertised these futures and functionality with the necessary details such as internal security procedure, configuration hardening, patching, auditing and logging. E-learning users must be aware and clarified how their data and related files are stored. On the other hand, e-learning user may unaware of the unknown risk profile which may include serious threats.
6. GUIDANCE FOR SECURITY CONCERN IN CLOUD BASED E-LEARNING
There are various steps given by the cloud service providers to ensure the security concern in the cloud computing which could be applied to cloud based e-learning. Few guidelineshave been given by the organizations such as Cloud Standards Customer Council, Intel, Microsoft etc to build the security in the cloud are as follows:
A. Steps of Security for Cloud Computing[13][14] This is designed to help public cloud consumers evaluate and compare security provided in key areas from different cloud providers. This steps has to be followed by the institutions to ensure the security for cloud computing before going for cloud services in their e-learning systems.
1) Step 1: Ensure effective governance, risk and compliance processes: Security controls available in cloud computing are very much similar to traditional IT environments. But educational institution should understand their own level of risk tolerance and focus on mitigating the risks that institutions cannot afford to neglect.
2) Step 2: Audit operational and business processes: Audits should be carried out by the educational institution appropriately by assigning skilled staff and set of controls should be established to meet the institutions security requirements.
3) Step 3: Manage people, roles and identities: Educational institutions needs to control users‟ roles and privileges as it manage thousands of users such as students and staff who access cloud applications and services, each with different roles and rights.
4) Step 4: Ensure proper protection of data and information: Educational institution should ensure the proper protection of data and information. Additional focus on data security is needed because of the distributed nature of the cloud computing infrastructure and the shared responsibilities that cloud computing involves.
5) Step 5: Enforce privacy policies: Educational institutions are responsible for defining policies to address any privacy concerns and in increasing awareness of data protection within the institutions. In addition to that they should ensure the adherence of cloud providers to the defined privacy policies.
6) Step 6: Assess the security provision for cloud applications: Educational institutions must apply the same diligence to application security for both physical security and infrastructure security. Applications should not be compromised at any cost to avoid any additional risk.
7) Step 7: Ensure cloud networks and connections are secure: Educational institution should check for certain external network perimeter safety measures from cloud providers to ensure the secured connections and network. 8) Step 8: Evaluate security controls on physical infrastructure and facilities: Educational institutions should concern about the physical infrastructure and facilities provided by the cloud providers and it are an important consideration for security of any IT system especially in a cloud based e-learning.
9) Step 9 : Manage security terms in the cloud Service Legal Agreement(SLA): As cloud services involves more than one organisation, responsibilities of user and the service provider must be made clear in SLA for better understanding. Educational institution should double check the terms in the SLA.
10) Step 10: Understand the security requirements of the exit process: Exit process must allow the educational institution to retrieve their data in a suitable secured form. It includes clarity on backup retention and deletion.
B. Seven Steps for building security in the cloud This is a helpful guide designed for IT managers in ensuring best practices to follow in the cloud in order to help in building the security in the cloud.
Fig. 5: Seven Steps of security for Cloud Computing
1) Step 1: Start security planning early: The best way to approach cloud security is to integrate it with overall cloud planning early in the process. By this way, educational institution can use a threat based approach to planning for deployments of their specific workloads, security requirements and specific cloud delivery model and architecture.
2) Step 2: Identify vulnerabilities for selected services: It is the responsibility of the educational institution to identify the vulnerabilities for the selected services in the cloud computing. It is also important to understand while a fill-the-gap approach may seem to work on a particular vulnerability, but it may expose the unknown vulnerabilities in other areas. Best approach is to review the specific service architecture and then layer technologies to develop a strong security net that protects data, applications and platform and network at all levels irrespective of chosen cloud model
3) Step 3: Four things to mitigate security vulnerability: Four things an IT manager can do to mitigate security vulnerabilities in cloud based e-learning. Intel
• Encrypt to protect data that rests or moves in the cloud especially in public clouds.
• Establish a trusted foundation to secure educational institution data center platform and infrastructure and protect clients.
• Build higher assurance into compliance to streamline auditing.
• Establish and verify identities before educational institution federate by controlling access from trusted cloud users in e-learning and trusted systems.
4) Step 4: Protect data: Protect data in motion, in process and at rest. Encrypt the data wherever it is in the cloud: at rest, in process, or in motion. Since, data doesn‟t stay in one place on any network and this is especially true in case of data in the cloud based e-learning.
5) Step 5: Secured platform: Securing both client and server platforms in cloud based e-learning are very important as there is increase trend in malware threats. It will facilitate the additional enforcement point which builds trust between servers and between servers and
6) Step 6: Extend trust across federated clouds: Additional layer of complexity to the current security equation should be added in cloud based e-learning as it evolves the vision of federated cloud relationships across several cloud infrastructure. Managing identities and access-management policies including standards-based single sign-in (SSO), strong authentication, account provisioning, API security and audit capability can built the trusted access to the cloud and across clouds. Simple usernames and passwords are not adequate for cloud security since it can be easily compromised. In federated cloud environment, strong second-factor authentication is essential for secure SSO.
7) Step 7: Choose the right cloud service provider: Choosing the right cloud service provider is tedious process as it involves many levels from the cloud delivery model and architecture to specific applications. In addition to that the countless interdependencies and relationships are exists among the vendors both in terms of technological and business related. Cloud users in e-learning needs to know about the data and platform protections for the services they offered.
C. Checklist for Cloud Security[17]
Microsoft has given the checklist for IT managers to ensure the security in cloud based e-learning as follows:- 1) Integration : Integration points needs to be checked with the security and identity management technologies currently available in the educational institution such as active directory, controls for role-based access and entity-level applications.
2) Privacy: Educational institution should make sure that cloud service includes data encryption, effective data anonymization and mobile location privacy.
3) Access: Educational institutions should aware of the means of preventing inadvertent access when the resources are placed in a shared cloud infrastructure. Cloud Provider‟s policy on accidental release of protected data must be carefully read by the educational institutions.
4) Jurisdiction: The location of a cloud provider‟s operation can affect the privacy laws that apply to the data it hosts. Educational institutions need to check the data whether it is to be reside within their legal jurisdiction.
REFERENCES
[1] D.Kasi Viswanath, S.Kusuma and Saroj Kumar Gupta,[ July 2012] “Cloud Computing Issues and Benefits Modern Education”, Global Journal of Computer Science and Technology Cloud & Distributed., Vol. 12 Issue 10 Version 1.0 pp.15-19.
[2] Md. Anwar Hossain Masud, Xiaodi Huang[2012], “An E-learning System Architecture based on Cloud Computing” ,World Academy of Science, Engineering and Technology
[3] Paul POCATILU [2010], “Cloud Computing Benefits for E-learning Solutions”, O economics of Knowledge, Vol. 2, Issue 1, 1Q. [4] A. Fern´andez, D. Peralta, F. Herrera2, and
J.M. Ben´ıtez, [2012] “An Overview of
E-Learning in Cloud
Computing”,Available:http://sci2s.ugr.es/public ations/ficheros
[5] Cloud Computing,[Online] [2012] Available:http://en.wikipedia.org/wiki/Cloud_c omputing accessed on November 2012. [6] Ajith Singh. N, M. Hemalatha, [2012] “Cloud
Computing for Academic
Environment”,International Journal of Information and Communication Technology Research,Vol. 2 No. 2, Feb.
[7] Bhruthari G. Pund*,Prajakta P. Deshmukh, “Appliance of Cloud Computing on E-Learning” International Journal of Computer Science and Management Research, Vol. 1 Issue 2 Sep.2012.
[8] Ivan I Ivanov, [ “Cloud Computing in Education: The Intersection of Challenges and Opportunities”
[9] Ahmed E. Youssef, [2012] “Exploring Cloud Computing Services and Applications”,Journal of Emerging Trends in Computing and Information Sciences,Vol. 3, No. 6, July 2012. [10] Mervat Adib Bamiah & Sarfraz Nawaz
Brohi,[2011] “Seven Deadly Threats and Vulnerabilities in Cloud Computing”, International Journal Of Advanced Engineering Sciences And Technologies, Vol No. 9, Issue No. 1, pp.087 – 090
[11] Kangchan Lee Electronics and Telecommunications Research Institute
[12] Joshi Ashay Mukundrao (2012) Enhancing Security in Cloud Computing. D.Y. Patil College Of Engineering, Akurdi, Pune University of Pune, Maharashtra, India [13] S.Hameetha Begum* T.Sheeba S.N.Nisha Rani
(2013). Security in Cloud based E-Learning Computing. Volume 3, Issue 1, January 2013 ISSN: 2277 128X International Journal of Advanced Research in Computer Science and Software Engineering Research Paper Available online at: www.ijarcsse.com
&Muscat College Computing &Muscat College ECE &Fatima Michael Engg. College Oman Oman Tamilnadu, India
[14] Kevin Hamlen, Murat Kantarcioglu,Latifur Khan,Bhavani Thuraisingham [2010]. Security Issues for Cloud Computing International Journal of Information Security and Privacy, 4(2), 39-51, April-June 2010
[15] IBM Global Technology Services Technical White Paper June 2011 Security and high availability in cloud
computing environments
[16] BM Global Technology Services Technical White Paper June 2011 Security and high availability in cloud computing environment [17] Assessing Cloud Node Security Context
Information Security